<?php

$bits = 4096;

$ca_key = openssl_pkey_new(array(
    'private_key_bits' => (int) $bits,
    'private_key_type' => OPENSSL_KEYTYPE_RSA
));


$ca_csr = openssl_csr_new(
    array(
        "countryName" => "AU",
        "stateOrProvinceName" => "Some-State",
        //"localityName" => "",
        "organizationName" => "Some Authority",
        "organizationalUnitName" => "CA",
        "commonName" => "Some Root CA G2",
        //"emailAddress" => "void@example.org"
        
    )
    , $ca_key
    , array(
        'digest_alg' => 'sha512',
    )
);


$days = 365;
$ca_crt = openssl_csr_sign(
    $ca_csr
    , NULL
    , $ca_key
    , (int) $days
    , array(
        'digest_alg' => 'sha512',
    )
    , 0 // serial number
);

print_r(openssl_x509_parse($ca_crt));
openssl_x509_export($ca_crt, $data);
echo $data;


$mid_ca_key = openssl_pkey_new(array(
    'private_key_bits' => (int) $bits,
    'private_key_type' => OPENSSL_KEYTYPE_RSA
));

$mid_ca_csr = openssl_csr_new(
    array(
        "countryName" => "AU",
        "stateOrProvinceName" => "Some-State",
        //"localityName" => "",
        "organizationName" => "Some Authority",
        "organizationalUnitName" => "CA",
        "commonName" => "Some S/MIME CA G1",
        //"emailAddress" => "void@example.org"
        
    )
    , $mid_ca_key
    , array(
        'digest_alg' => 'sha512',
    )
);


$days = 365;
$mid_ca_crt = openssl_csr_sign(
    $mid_ca_csr
    , NULL
    , $mid_ca_key
    , (int) $days
    , array(
        'digest_alg' => 'sha512',
        'extensions' => array(
            'basicConstraints' => 'critical,CA:TRUE,pathlen:0',
        ),
    )
    , 1 // serial number
);

print_r(openssl_x509_parse($mid_ca_crt));
openssl_x509_export($mid_ca_crt, $data);
echo $data;


// vim: ts=4 et ai

